What are the HIPAA Rules for Record Retention?

The Health Insurance Portability and Accountability Act, commonly known as HIPAA, notes differing information in relation to keeping copies of different types of data, which is leading organizations to investigate what exactly the HIPAA rules for record retention are.

Retention policies in HIPAA mention two different types of records; medical records and other records. HIPAA covered entities must ensure they know what qualifies as what type of record to ensure that they retain it appropriately.

The HIPAA rules for retaining medical documents are in fact quite simple. They are primarily a part of the HIPAA Privacy Rule that has been the source of confusion in the past. The text of the law states that appropriate administrative, technical and physical measures have to be in place to “protect the privacy of Protected Health Information for whatever period such information is maintained”.

What Does This Mean?

HIPAA’s Privacy Rule is worded so strangely, without a definite retention period mentioned for how long medical records should be kept, is because HIPAA itself does not include a minimum duration for which records must be held. Instead, this is mandated by each individual state. IN many instances, HIPAA takes determines and can take precedence over state law but record retention is not one of them.

This means that organizations covered by HIPAA, as well as their business associates, must carefully examine the laws of each state where they operate or where they source data from. This is an area where there is can be a large and disparate range of mandatory periods. As well as this, the period may be determined by the HIPAA covered entity’s role in the healthcare sector, as in the examples below:

  • Physicians practicing in Florida are required to keep medical records for five years after the last contact with each patient. Hospitals, on the other hand, must maintain them for seven years.

  • Nevada healthcare providers have to maintain medical records for at least a period of five years. If the patient is a minor then the records must be kept until the patient is twenty-three years of age.

  • In North Carolina, the periods are even longer; hospitals must maintain patients´ records for eleven years from the date of discharge and records relating to minors must be retained until the patient has reached the age of thirty years old.

What About Other Records?

If the periods for medical record are determined at the state level, then what about other records? Some documents concerning HIPAA are covered in the law itself. Records relating to compliance procedures and policies, for example, must be kept for a period of six years. The countdown of this period starts either from the date the document was created or the last date on which a policy or procedure was being used. For example, a policy created in 2010 that was being followed until 2014 would need to be retained until 2020, six years after it was last in effect, not six years after it was created.

The exact documents which need to be retained vary by the organization’s activity. Some common records include:

  • Notices of Privacy Practices.

  • Authorizations for the Disclosure of PHI.

  • Risk Assessments and Risk Analyses.

  • Disaster Recovery and Contingency Plans.

  • Business Associate Agreements.

  • Information Security and Privacy Policies.

  • Employee Sanction Policies.

  • Incident and Breach Notification Documentation.

  • Complaint and Resolution Documentation.

  • Physical Security Maintenance Records.

  • Logs Recording Access to and Updating of PHI.

  • IT Security System Reviews (including new procedures or technologies implemented).

In addition to HIPAA retention requirements, organizations should also pay attention to any documents they may be obliged to retain under other laws, such as employment law or industry specific statutes.